This article discusses sophisticated APT attacks targeting South Korea, focusing on the use of malicious HWP and LNK files delivered via K Messenger chats. The threats are primarily executed through spear phishing and rely on trust-based tactics to encourage victims to open infected files. The need for organizations to implement robust EDR (Endpoint Detection and Response) security measures is emphasized to enhance detection capabilities against these advanced attacks. Affected: South Korea, organizations using K Messenger, users of HWP files, and Windows PC users.
Keypoints :
- APT attacks targeting South Korea have increased significantly in 2024.
- Various attack methods identified, prominently involving malicious LNK files and HWP documents.
- Initial access is often achieved via spear phishing attacks.
- Threat actors employed strategies to avoid detection by mainstream anti-virus software.
- EDR systems are essential for identifying abnormal behaviors and enhancing threat detection.
- Trust-based strategies are used, leveraging personal relationships to facilitate malware distribution.
- Attack patterns can include the malicious use of OLE objects within HWP files.
- The importance of immediate and proactive response measures against such threats is highlighted.
MITRE Techniques :
- Initial Access (T1071.001) ā Spear phishing emails containing infected HWP and LNK files were used for penetration.
- Execution (T1203) ā Malicious OLE objects in HWP documents executed upon opening.
- Credential Access (T1003) ā Threat actors collect credentials from infected systems.
- Command and Control (T1071) ā Communication with remote servers (C2) for control and data exfiltration.
Indicator of Compromise :
- MD5: 1a70a013a56673f25738cf145928d0f5
- MD5: 1c3bb05a03834f56b0285788d988aae4
- MD5: 1d736803cb8fbb910dc0150087530de7
- IP Address: 172.86.115[.]125
- Email Address: tianling0315@gmail[.]com
Full Story: https://www.genians.co.kr/blog/threat_intelligence/k-messenger